Hey @fmartins! Thanks for reaching out.
It's not uncommon for third-party integrations to have certain restrictions, such as disallowing custom headers, but you can alternatively authenticate the call with a workflowApiKey query parameter.
Otherwise, the only way to trigger a workflow via webhook without an API key is to make the endpoint public.
This isn't a big deal if you are able to verify the alternate security method in the first block, but keep in mind the fact that workflows are billed by total runs.